490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9

Analysis

max time kernel
125s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 18:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
Size

212KB
MD5

0cefbca50a38c7eceab0c685084dde2a
SHA1

8669e329abad25eddbcfa0d969f180e3421dab29
SHA256

490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9
SHA512

c81a1264cfb4b553afbcf0e9c538dea3a9d9b8d52e7441e456b314e70c6f42803974d83ac8232050a3af5d7e384cb4863fd55f0332731f1564ded96ce71ff2f8
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQ6++M4EE0yxoFwq+hbWX3M:gDCwfG1bnxLERRy+Ml6/q+hKX3M

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
536	avscan.exe
1568	avscan.exe
1720	hosts.exe
1852	hosts.exe
1604	avscan.exe
1132	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
536	avscan.exe
1720	hosts.exe
1720	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
File created	\??\c:\windows\W_X_C.bat	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
1660	REG.exe
1348	REG.exe
1268	REG.exe
692	REG.exe
1084	REG.exe
2036	REG.exe
1320	REG.exe
1756	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
536	avscan.exe
1720	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
536	avscan.exe
1568	avscan.exe
1720	hosts.exe
1852	hosts.exe
1604	avscan.exe
1132	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1268	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	27
PID 1348 wrote to memory of 1268	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	27
PID 1348 wrote to memory of 1268	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	27
PID 1348 wrote to memory of 1268	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	27
PID 1348 wrote to memory of 536	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	29
PID 1348 wrote to memory of 536	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	29
PID 1348 wrote to memory of 536	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	29
PID 1348 wrote to memory of 536	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	29
PID 536 wrote to memory of 1568	536	avscan.exe	30
PID 536 wrote to memory of 1568	536	avscan.exe	30
PID 536 wrote to memory of 1568	536	avscan.exe	30
PID 536 wrote to memory of 1568	536	avscan.exe	30
PID 536 wrote to memory of 636	536	avscan.exe	31
PID 536 wrote to memory of 636	536	avscan.exe	31
PID 536 wrote to memory of 636	536	avscan.exe	31
PID 536 wrote to memory of 636	536	avscan.exe	31
PID 1348 wrote to memory of 1644	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	33
PID 1348 wrote to memory of 1644	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	33
PID 1348 wrote to memory of 1644	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	33
PID 1348 wrote to memory of 1644	1348	490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe	33
PID 636 wrote to memory of 1720	636	cmd.exe	36
PID 636 wrote to memory of 1720	636	cmd.exe	36
PID 636 wrote to memory of 1720	636	cmd.exe	36
PID 636 wrote to memory of 1720	636	cmd.exe	36
PID 1644 wrote to memory of 1852	1644	cmd.exe	35
PID 1644 wrote to memory of 1852	1644	cmd.exe	35
PID 1644 wrote to memory of 1852	1644	cmd.exe	35
PID 1644 wrote to memory of 1852	1644	cmd.exe	35
PID 636 wrote to memory of 284	636	cmd.exe	38
PID 636 wrote to memory of 284	636	cmd.exe	38
PID 636 wrote to memory of 284	636	cmd.exe	38
PID 636 wrote to memory of 284	636	cmd.exe	38
PID 1644 wrote to memory of 1768	1644	cmd.exe	37
PID 1644 wrote to memory of 1768	1644	cmd.exe	37
PID 1644 wrote to memory of 1768	1644	cmd.exe	37
PID 1644 wrote to memory of 1768	1644	cmd.exe	37
PID 536 wrote to memory of 692	536	avscan.exe	40
PID 536 wrote to memory of 692	536	avscan.exe	40
PID 536 wrote to memory of 692	536	avscan.exe	40
PID 536 wrote to memory of 692	536	avscan.exe	40
PID 1720 wrote to memory of 1604	1720	hosts.exe	39
PID 1720 wrote to memory of 1604	1720	hosts.exe	39
PID 1720 wrote to memory of 1604	1720	hosts.exe	39
PID 1720 wrote to memory of 1604	1720	hosts.exe	39
PID 1720 wrote to memory of 1764	1720	hosts.exe	42
PID 1720 wrote to memory of 1764	1720	hosts.exe	42
PID 1720 wrote to memory of 1764	1720	hosts.exe	42
PID 1720 wrote to memory of 1764	1720	hosts.exe	42
PID 1764 wrote to memory of 1132	1764	cmd.exe	44
PID 1764 wrote to memory of 1132	1764	cmd.exe	44
PID 1764 wrote to memory of 1132	1764	cmd.exe	44
PID 1764 wrote to memory of 1132	1764	cmd.exe	44
PID 1764 wrote to memory of 988	1764	cmd.exe	45
PID 1764 wrote to memory of 988	1764	cmd.exe	45
PID 1764 wrote to memory of 988	1764	cmd.exe	45
PID 1764 wrote to memory of 988	1764	cmd.exe	45
PID 536 wrote to memory of 1084	536	avscan.exe	46
PID 536 wrote to memory of 1084	536	avscan.exe	46
PID 536 wrote to memory of 1084	536	avscan.exe	46
PID 536 wrote to memory of 1084	536	avscan.exe	46
PID 1720 wrote to memory of 2036	1720	hosts.exe	49
PID 1720 wrote to memory of 2036	1720	hosts.exe	49
PID 1720 wrote to memory of 2036	1720	hosts.exe	49
PID 1720 wrote to memory of 2036	1720	hosts.exe	49

C:\Users\Admin\AppData\Local\Temp\490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe
"C:\Users\Admin\AppData\Local\Temp\490abd45a6ab106ba5b5b2f2f5febf5330d20cc6191a916f2400864eba1b48f9.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1132
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:988
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2036
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1756
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1660
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:284
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:692
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1084
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1320
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
685KB

MD5
620ef73beea8a84c5cb24098a20c70bb

SHA1
b15ba6fa9b837300166accec8476c0a6135e05d5

SHA256
8785c47f200d28539e6a51bb550d1e028d5179acb5d9bab896ba265ff7e2dd41

SHA512
4ecb05f60d0436f155a21a736083591d74e54dc04c89d5069f1f0ad8b3ad4ec7422d00ef3263210322e736aec5d67e0efb211d86a3fd3446df48db5f34791dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
f8c6efacca53374f77d9e3b5aea7e7d9

SHA1
12804f370a4bf3af572726a71f08c05aae588aa6

SHA256
f18843aeb075e761088c83f8c7f288448fd398ee0b9c2ffc661e9223e4a2e117

SHA512
e47d4087d8d3fd433bab18b9c61d3bd3c1b19c58424cc44383a7cb8abf237cacb5bffe59c0928f723d8290732414587c5206df608fdcd1597bf4aba3e468f418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
f8c6efacca53374f77d9e3b5aea7e7d9

SHA1
12804f370a4bf3af572726a71f08c05aae588aa6

SHA256
f18843aeb075e761088c83f8c7f288448fd398ee0b9c2ffc661e9223e4a2e117

SHA512
e47d4087d8d3fd433bab18b9c61d3bd3c1b19c58424cc44383a7cb8abf237cacb5bffe59c0928f723d8290732414587c5206df608fdcd1597bf4aba3e468f418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
4c3a4c7e424382eb1a2eadb5058e64f2

SHA1
a2351dd61adc66ae769e194998876a1bafc3cc69

SHA256
38372570db7915669cb849435a30858c7b6b37f90c397b774c15737e4b473878

SHA512
8da0f17b11a06afb9304a69738976af879bcc78a8605d673454b0e91cf3f6e93e989e3601c27b257517a2227ee202330ae1d8e315909726cf33a62c7834a24af

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
212KB

MD5
d14f807f882c680f853799ce778cb4d0

SHA1
2373b95d22a2239169149cb8d5773de2ab0f9e01

SHA256
981e36f897758bb667638bc8e2ec6b3c10b68fd00c0187298d7001abde61f8b3

SHA512
ea800a6c222d8f0b645cca45981747b12ef59b34978e68b3ce769de502e270b85333650f99bf18ef8a34d387ebc6c8c1be7c14ee72dd9271b66b77b1b1124730

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
212KB

MD5
d14f807f882c680f853799ce778cb4d0

SHA1
2373b95d22a2239169149cb8d5773de2ab0f9e01

SHA256
981e36f897758bb667638bc8e2ec6b3c10b68fd00c0187298d7001abde61f8b3

SHA512
ea800a6c222d8f0b645cca45981747b12ef59b34978e68b3ce769de502e270b85333650f99bf18ef8a34d387ebc6c8c1be7c14ee72dd9271b66b77b1b1124730

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
212KB

MD5
d14f807f882c680f853799ce778cb4d0

SHA1
2373b95d22a2239169149cb8d5773de2ab0f9e01

SHA256
981e36f897758bb667638bc8e2ec6b3c10b68fd00c0187298d7001abde61f8b3

SHA512
ea800a6c222d8f0b645cca45981747b12ef59b34978e68b3ce769de502e270b85333650f99bf18ef8a34d387ebc6c8c1be7c14ee72dd9271b66b77b1b1124730

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
212KB

MD5
d14f807f882c680f853799ce778cb4d0

SHA1
2373b95d22a2239169149cb8d5773de2ab0f9e01

SHA256
981e36f897758bb667638bc8e2ec6b3c10b68fd00c0187298d7001abde61f8b3

SHA512
ea800a6c222d8f0b645cca45981747b12ef59b34978e68b3ce769de502e270b85333650f99bf18ef8a34d387ebc6c8c1be7c14ee72dd9271b66b77b1b1124730

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
212KB

MD5
34f2bfae46dcd93b06fe9628196bb338

SHA1
e7c90f1302c98b724a6774d08586c8016df59740

SHA256
deaee6fa3de9e0257e8f06ba7304d70c7cdfe491368e3a966038972a410d8512

SHA512
951a90dede4ac3fdba5503aafad071e0be23255fadb7fe8efc8d54d94d7b2b956f10af61b08280cad425e113ccefe3edaaa7aa6e3c13c17573f9e05f2ae2d8cb

Download Submit
C:\Windows\hosts.exe

Filesize
212KB

MD5
34f2bfae46dcd93b06fe9628196bb338

SHA1
e7c90f1302c98b724a6774d08586c8016df59740

SHA256
deaee6fa3de9e0257e8f06ba7304d70c7cdfe491368e3a966038972a410d8512

SHA512
951a90dede4ac3fdba5503aafad071e0be23255fadb7fe8efc8d54d94d7b2b956f10af61b08280cad425e113ccefe3edaaa7aa6e3c13c17573f9e05f2ae2d8cb

Download Submit
C:\Windows\hosts.exe

Filesize
212KB

MD5
34f2bfae46dcd93b06fe9628196bb338

SHA1
e7c90f1302c98b724a6774d08586c8016df59740

SHA256
deaee6fa3de9e0257e8f06ba7304d70c7cdfe491368e3a966038972a410d8512

SHA512
951a90dede4ac3fdba5503aafad071e0be23255fadb7fe8efc8d54d94d7b2b956f10af61b08280cad425e113ccefe3edaaa7aa6e3c13c17573f9e05f2ae2d8cb

Download Submit
C:\Windows\hosts.exe

Filesize
212KB

MD5
34f2bfae46dcd93b06fe9628196bb338

SHA1
e7c90f1302c98b724a6774d08586c8016df59740

SHA256
deaee6fa3de9e0257e8f06ba7304d70c7cdfe491368e3a966038972a410d8512

SHA512
951a90dede4ac3fdba5503aafad071e0be23255fadb7fe8efc8d54d94d7b2b956f10af61b08280cad425e113ccefe3edaaa7aa6e3c13c17573f9e05f2ae2d8cb

Download Submit
C:\windows\hosts.exe

Filesize
212KB

MD5
34f2bfae46dcd93b06fe9628196bb338

SHA1
e7c90f1302c98b724a6774d08586c8016df59740

SHA256
deaee6fa3de9e0257e8f06ba7304d70c7cdfe491368e3a966038972a410d8512

SHA512
951a90dede4ac3fdba5503aafad071e0be23255fadb7fe8efc8d54d94d7b2b956f10af61b08280cad425e113ccefe3edaaa7aa6e3c13c17573f9e05f2ae2d8cb

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
212KB

MD5
d14f807f882c680f853799ce778cb4d0

SHA1
2373b95d22a2239169149cb8d5773de2ab0f9e01

SHA256
981e36f897758bb667638bc8e2ec6b3c10b68fd00c0187298d7001abde61f8b3

SHA512
ea800a6c222d8f0b645cca45981747b12ef59b34978e68b3ce769de502e270b85333650f99bf18ef8a34d387ebc6c8c1be7c14ee72dd9271b66b77b1b1124730

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
212KB

MD5
d14f807f882c680f853799ce778cb4d0

SHA1
2373b95d22a2239169149cb8d5773de2ab0f9e01

SHA256
981e36f897758bb667638bc8e2ec6b3c10b68fd00c0187298d7001abde61f8b3

SHA512
ea800a6c222d8f0b645cca45981747b12ef59b34978e68b3ce769de502e270b85333650f99bf18ef8a34d387ebc6c8c1be7c14ee72dd9271b66b77b1b1124730

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
212KB

MD5
d14f807f882c680f853799ce778cb4d0

SHA1
2373b95d22a2239169149cb8d5773de2ab0f9e01

SHA256
981e36f897758bb667638bc8e2ec6b3c10b68fd00c0187298d7001abde61f8b3

SHA512
ea800a6c222d8f0b645cca45981747b12ef59b34978e68b3ce769de502e270b85333650f99bf18ef8a34d387ebc6c8c1be7c14ee72dd9271b66b77b1b1124730

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
212KB

MD5
d14f807f882c680f853799ce778cb4d0

SHA1
2373b95d22a2239169149cb8d5773de2ab0f9e01

SHA256
981e36f897758bb667638bc8e2ec6b3c10b68fd00c0187298d7001abde61f8b3

SHA512
ea800a6c222d8f0b645cca45981747b12ef59b34978e68b3ce769de502e270b85333650f99bf18ef8a34d387ebc6c8c1be7c14ee72dd9271b66b77b1b1124730

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
212KB

MD5
d14f807f882c680f853799ce778cb4d0

SHA1
2373b95d22a2239169149cb8d5773de2ab0f9e01

SHA256
981e36f897758bb667638bc8e2ec6b3c10b68fd00c0187298d7001abde61f8b3

SHA512
ea800a6c222d8f0b645cca45981747b12ef59b34978e68b3ce769de502e270b85333650f99bf18ef8a34d387ebc6c8c1be7c14ee72dd9271b66b77b1b1124730

Download Submit
memory/1348-58-0x00000000743C1000-0x00000000743C3000-memory.dmp

Filesize
8KB

Download
memory/1348-56-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads